Hi,
Has anyone tried aggregating extension attributes for groups in Active directory source?
I have done for accounts, want to check if we can do same for groups.
Just curious why do you need for groups?
@HussainshaSyed001 I have privileged groups under different OU’s. But I want to bring only selected groups from those OU’s SO i want to use extension attribute tagged : Privileged and then use that attribute in group search scope.
Yes. The same way you added extension attributes to the Account Schema, you can add them to the Group Schema.
Ex: LDAP Search Filter : DC=yourdomain,DC=com(&(objectClass=group)(extensionAttribute1=Privileged)). This scans the entire domain but only aggregates groups where the extension attribute matches.
but keep in mind you need to set the filter in two places.
- Group Search Scope → LDAP Search Filter
- User Search Scope → Group Membership Search Filter(Groups shown as user memberships during Account Aggregation)
If you only filter in Group Search Scope but not in User Search Scope, account aggregation will still bring in all group memberships for users including non-privileged groups. Set the filter in both places to keep it consistent.